22-319 Bohnak v. Marsh & McLennan Companies, Inc.

In the United States Court of Appeals For the Second Circuit ______________

August Term, 2022

(Submitted: October 24, 2022 Decided: August 24, 2023)

Docket No. 22-319 ______________

NANCY BOHNAK, on behalf of themselves and all others similarly situated,

Plaintiff-Appellant,

JANET LEA SMITH, on behalf of themselves and all others similarly situated,

Plaintiff,

–v.–

MARSH & MCLENNAN COMPANIES, INC., A DELAWARE CORPORATION, MARSH & MCLENNAN AGENCY, LLC, A DELAWARE LIMITED LIABILITY COMPANY,

Defendants-Appellees.

______________

Before: NEWMAN, NARDINI, and ROBINSON, Circuit Judges. ______________

Plaintiff-Appellant Nancy Bohnak appeals from an order of the United States District Court for the Southern District of New York (Hellerstein, J.) dismissing her claims against Defendants-Appellees Marsh & McLennan Agency, LLC (“MMA”) and Marsh & McLennan Companies (“MMC”) (together, “Defendants”) for failure to plausibly plead a “claim upon which relief can be granted,” Fed. R. Civ. P. 12(b)(6). The Defendants defend the order on the ground that the district court lacked subject matter jurisdiction, Fed. R. Civ. P. 12(b)(1), because Bohnak lacked Article III standing. Both claims turn on whether Bohnak has validly pled that she suffered an Article III injury in fact. Bohnak filed this nationwide class action on behalf of herself and others similarly situated after her personally identifying information (“PII”), including her name and Social Security number, which had been entrusted to Defendants, were exposed to an unauthorized third party as a result of a targeted data hack.

This case requires us to consider the proper framework for evaluating whether an individual whose PII is exposed to unauthorized actors, but has not (yet) been used for injurious purposes such as identity theft, has suffered an injury in fact for purposes of Article III standing to sue for damages. In particular, we are called upon to determine how the Supreme Court’s decision in TransUnion, LLC v. Ramirez,

(2021), impacts this Court’s previous holding in McMorris v. Carlos Lopez & Associates,

(2d Cir. 2021).

We conclude that with respect to the question whether an injury arising from risk of future harm is sufficiently “concrete” to constitute an injury in fact, TransUnion controls; with respect to the question whether the asserted injury is “actual or imminent,” the McMorris framework continues to apply in data breach cases like this.

Applying the above framework, we conclude that Bohnak’s allegation that an unauthorized third party accessed her name and Social Security number through a targeted data breach gives her Article III standing to bring this action against the defendants to whom she had entrusted her PII. We further conclude that the district court erred in dismissing Bohnak’s claims for failure to plausibly allege cognizable damages. We thus REVERSE the district court’s order dismissing Bohnak’s claims for damages and REMAND for further proceedings.

2 ______________

John A. Yanchunis, Kenya Reddy, Morgan and Morgan, Tampa, FL, for Plaintiff-Appellant.

Travis LeBlanc, Cooley LLP, Washington, D.C., Tiana Demas, Cooley LLP, New York, NY, for Defendants-Appellees. ______________

ROBINSON, Circuit Judge:

This case requires us to consider the proper framework for evaluating

whether an individual whose personally identifying information (“PII”) is

exposed to unauthorized actors, but has not (yet) been used for injurious purposes

such as identity theft, has suffered an injury in fact for purposes of (1) Article III

standing to sue for damages and (2) pleading a “claim upon which relief can be

granted,” Fed. R. Civ. P. 12(b)(6). In particular, we are called upon to determine

how the Supreme Court’s decision in TransUnion, LLC v. Ramirez,

(2021), impacts this Court’s previous holding in McMorris v. Carlos Lopez &

Associates,

(2d Cir. 2021).

To establish Article III standing under the U.S. Constitution, a plaintiff must

show (1) an injury in fact (2) caused by the defendant, (3) that would likely be

redressable by the court. Thole v. U.S. Bank N.A.,

(2020). At

issue here is the first element: injury in fact. “Injury in fact,” in turn, embodies

3 three components: it must be “concrete, particularized, and actual or

imminent.”

We conclude that with respect to the question whether an injury

arising from risk of future harm is sufficiently “concrete” to constitute an injury in

fact, TransUnion controls; with respect to the question whether the asserted injury

is “actual or imminent,” the McMorris framework continues to apply in data

breach cases like this.

Plaintiff-Appellant Nancy Bohnak appeals from an order 1 of the United

States District Court for the Southern District of New York (Hellerstein, J.)

dismissing her claims against Defendants-Appellees Marsh & McLennan Agency,

LLC (“MMA”) and Marsh & McLennan Companies (“MMC”) (together,

“Defendants”) for failure to state a claim. 2 Bohnak v. Marsh & McLennan Cos., Inc.,

(S.D.N.Y. 2022). Applying the above framework, we conclude

that Bohnak’s allegation that an unauthorized third party accessed her name and

Social Security number (“SSN”) through a targeted data breach gives her

1 The notice of appeal states that Bohnak appeals “from the Order and Opinion . . . entered . . . on January 17, 2022.” (The order was in fact entered January 18, 2022, see Dist. Ct. Dkt. No. 32.) That order is appealable because it was a “final decision,”

, that disposed of the entire case, see Bankers Trust Co. v. Mallis,

(1978) (“[T]he District Court clearly evidenced its intent that the opinion and order from which an appeal was taken would represent the final decision in the case.”). However, when a judgment is entered, as it was in this case on January 28, 2023 (Dist. Ct. Dkt. No. 33), the better practice is to appeal the judgment. That avoids any dispute as to whether an earlier entered order qualifies as a final decision. 2 Janet Lee Smith was a plaintiff in the underlying action but is not a party to this appeal.

4 Article III standing to bring this action against the defendants to whom she had

entrusted her PII. We further conclude that the district court erred in dismissing

Bohnak’s claims for failure to plausibly allege cognizable damages because we

hold that by pleading a sufficient Article III injury in fact, Bohnak also satisfies the

damages element of a valid claim for relief.

For the reasons set forth below, we REVERSE the district court’s order

dismissing Bohnak’s claims for damages and REMAND for further proceedings.

BACKGROUND 3

MMC “is the world’s leading professional services firm in the areas of risk,

strategy and people,” App’x 9, ¶ 3; MMA is a wholly owned subsidiary of MMC

and serves “the risk prevention and insurance needs of middle market companies

in the United States,” id. ¶ 4. Defendants stored PII such as “Social Security or

other federal tax identification number[s], driver’s license or other government

issued identification, and passport information” of at least 7,000 individuals.

App’x 8-9, ¶ 2. The PII at issue relates to “(i) Defendants’ current and former

employees and spouses and dependents thereof; (ii) current and former employees

of Defendants’ clients, contractors, applicants and investors; and (iii) individuals

3 This account is drawn from the allegations in Bohnak’s complaint, which we must accept as true for purposes of evaluating Defendants’ motion to dismiss. Ashcroft v. Iqbal,

(2009).

5 whose information Defendants acquired through the purchase of or merger with

another business.” App’x 8, ¶ 1.

Bohnak is MMA’s former employee, and “[a]s a condition of [] Bohnak’s

employment, Defendants required that she entrust her PII, including but not

limited to her Social Security or other federal tax id number.” 4 App’x 21, ¶ 58.

In April 2021 an “unauthorized actor . . . leveraged a vulnerability in a third

party’s software” and accessed Bohnak’s PII, including her “name and . . . Social

Security or other federal tax id number.” App’x 14, ¶ 30.

PII is of “high value to criminals, as evidenced by the prices they will pay

through the dark web.” 5 App’x 17, ¶ 44. “[SSNs], for example, are among the

worst kind of personal information to have stolen because they may be put to a

variety of fraudulent uses and are difficult for an individual to change.” App’x 18,

¶ 45. Specifically, “[a]n individual cannot obtain a new [SSN] without significant

paperwork and evidence of actual misuse.” Id. ¶ 46.

4 The record is silent as to when Bohnak’s employment with MMA began, but it ended “[i]n or around 2014.” App’x 21 ¶ 58. 5 “The Dark Web is a general term that describes hidden Internet sites that users cannot access

without using special software.” McMorris,

n.4 (quoting Kristin Finklea, Cong. Rsch. Serv., 7-5700, Dark Web 2 (2017)). “Not surprisingly, criminals and other malicious actors . . . use the [D]ark [W]eb to carry out technology-driven crimes, such as computer hacking, identity theft, credit card fraud, and intellectual property theft.”

(quoting Ahmed Ghappour, Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web,

, 1090 (2017)).

6 Despite the sensitivity of the data in Defendants’ possession, they did not

secure the data from potential unauthorized actors through encryption, and the

data continues to be unencrypted.

In contrast, Bohnak has been “very careful about sharing her PII. She has

never knowingly transmitted her unencrypted sensitive PII over the internet or

any other unsecured source.” App’x 21, ¶ 61. She “stores any documents

containing her PII in a safe and secure location or destroys the documents,” and

“she diligently chooses unique usernames and passwords for her various online

accounts.” App’x 21–22, ¶ 62.

After Defendants notified Bohnak of the data breach (two months after

Defendants learned of the incident), Bohnak filed this nationwide class action on

behalf of herself and others similarly situated. She alleges that Defendants failed

to: “(i) adequately protect the PII of [Bohnak] and Class Members; (ii) warn

[Bohnak] and Class Members of Defendants’ inadequate information security

practices; and (iii) effectively secure hardware containing protected PII using

reasonable and effective security procedures free of vulnerabilities and

incidents.” App’x 11, ¶ 14.

7 Asserting state law claims of negligence, breach of implied contract, and

breach of confidence, Bohnak alleges that she and Class Members suffered the

following injuries:

(i) lost or diminished value of PII; (ii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII; (iii) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach, including but not limited to lost time, and (iv) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) may remain backed up in Defendants’ possession and is subject to further unauthorized disclosures so long as Defendants fail[] to undertake appropriate and adequate measures to protect the PII.

App’x 11, ¶ 15.

Defendants moved to dismiss Bohnak’s complaint under Federal Rule of

Civil Procedure 12(b)(1) for lack of subject matter jurisdiction, arguing that Bohnak

lacks Article III standing. In the alternative, Defendants moved to dismiss the

complaint under Rule 12(b)(6) because Bohnak fails to allege any cognizable

damages.

The district court rejected Defendants’ argument that Bohnak lacked Article

III standing, reasoning that, although the future, indefinite risk of identity theft

involving her compromised PII by itself was insufficient to establish an injury in

fact under TransUnion, Bohnak plausibly alleged a separate concrete injury,

8 analogous to that associated with the common-law tort of public disclosure of

private information, that could support Article III standing.

However, the district court accepted Defendants’ argument that Bohnak

had failed to state a claim for which relief can be granted, reasoning that she had

not plausibly alleged cognizable damages arising from the disclosure of her PII.

In particular, the district court concluded that Bohnak could only speculate about

the extent of any future harm, and that the damages arising from any risk of future

harm are not “capable of proof with reasonable certainty.” Bohnak, 580 F. Supp.

3d at 31. The court concluded that Bohnak’s alleged loss of time and money

responding to the increased risk of harm is not “cognizable” because it was not

proximately caused by the harm of disclosure which, the court emphasized, was

“the only harm for which [the court] found Plaintiffs have Article III standing.” Id.

Moreover, the court reasoned that Bohnak’s prayer for injunctive relief is

based on the same harms as her claims for monetary relief, indicating the harms

are compensable through money damages. In the court’s view, a permanent

injunction is thus unavailable. Because the court concluded that Bohnak does not

plausibly allege a claim for damages or injunctive relief, it dismissed Bohnak’s

claims pursuant to Rule 12(b)(6). Bohnak appealed.

9 DISCUSSION

Bohnak challenges the district court’s conclusion that she cannot establish

standing merely by virtue of the risk of future misuse of her PII (such as identity

theft or fraud), and in so arguing implicitly challenges the reasoning underlying

the court’s dismissal of her claims for failure to state a cognizable claim for

damages. Defendants, on the other hand, contend that because her claims are

predicated on a risk of future harm, Bohnak lacks standing altogether.

We conclude that Bohnak has standing to pursue her claims for relief, and

that she has adequately alleged a cognizable claim for damages. 6

I. Standing

We first consider whether Bohnak has established Article III

standing. See Central States SE and SW Areas Health and Welfare Fund v. Merck–

Medco Managed Care, LLC,

(2d Cir. 2005) (“If plaintiffs lack Article

III standing, a court has no subject matter jurisdiction to hear their claim.”).

“Because standing is challenged on the basis of the pleadings, we accept as

true all material allegations of the complaint, and must construe the complaint in

6Bohnak has not challenged the district court’s determination that she failed to plausibly allege a claim that would entitle her to injunctive relief, and her challenge to the district court’s standing analysis does not directly undercut the court’s rationale for dismissing her claims for injunctive relief. Accordingly, we deem any challenge to the district court’s dismissal of her claim for injunctive relief waived, and do not address her claims for injunctive relief on appeal.

10 favor of the complaining party.” W.R. Huff Asset Mgmt. Co., LLC v. Deloitte &

Touche, LLP,

(2d Cir. 2008) (internal quotation marks omitted). In

this context, we determine whether a plaintiff has constitutional standing to sue

without deference to the district court.

As noted above, to establish Article III standing, a plaintiff must show (1) an

injury in fact that is “concrete, particularized, and actual or imminent,” (2) that the

injury was caused by the defendant, and (3) that the injury would likely be

redressable by the court. Thole,

. At issue here is the first

element—an injury in fact that is “concrete, particularized, and actual or

imminent.”

Bohnak argues that the district court erred by concluding that the risk of

future harm arising from the disclosure of her PII is not a cognizable injury for

standing purposes. In particular, she argues that the district court erred in

concluding that the Supreme Court’s decision in TransUnion calls into question the

continuing vitality of this Court’s decision in McMorris. And she contends that

under the framework established in McMorris, she has standing to pursue her

claims.

Defendants contend that TransUnion forecloses any argument that Bohnak

has standing based on a risk of future harm, that Bohnak cannot establish standing

11 based on the factors set forth in McMorris, and that the district court erred in

concluding that Bohnak did have standing to pursue her claims based on the

injury from the exposure of her PII.

We conclude that TransUnion is the touchstone for determining whether

Bohnak has alleged a concrete injury, and that under TransUnion, Bohnak’s alleged

injuries arising from the risk of future harm are concrete. We further conclude that

McMorris is the touchstone for determining whether Bohnak has alleged an “actual

or imminent” injury, and that under McMorris, Bohnak’s alleged injuries are

“actual or imminent.” McMorris,

. Given these conclusions, and

because the other elements of Article III standing are undisputedly met, we

conclude that Bohnak has Article III standing, and we have jurisdiction to review

this appeal.

A. TransUnion: Concreteness

i. The Court’s Holding

In TransUnion, in a distinct but somewhat analogous context, the Supreme

Court considered whether a risk of future injury alone is sufficiently concrete to

be an injury in fact for purposes of Article III standing.

(“The

question in this case focuses on the Article III requirement that the plaintiff’s injury

in fact be ‘concrete,’—that is, ‘real, and not abstract.’”).

12 The conflict in TransUnion arose from a product designed to help businesses

avoid transacting with individuals on the United States Treasury Department’s

Office of Foreign Assets Control (“OFAC”) list of “specially designated nationals

who threaten America’s national security.”

(internal quotation

marks omitted). When TransUnion (a “Big Three” credit reporting agency)

conducted a credit check for subscribers to their special service, it used third-party

software to compare the consumer’s name against the OFAC list.

. As

the Supreme Court explained,

If the consumer’s first and last name matched the first and last name of an individual on OFAC’s list, then TransUnion would place an alert on the credit report indicating that the consumer’s name was a “potential match” to a name on the OFAC list. TransUnion did not compare any data other than first and last names.

TransUnion’s system produced many false positives, as many law-abiding

Americans share names with individuals on OFAC’s list of specially designated

nationals.

Sergio Ramirez, the named plaintiff, was one such law-abiding

American.

He tried to purchase a car from a dealership, but the dealership

refused to sell it to him after receiving a report from TransUnion that he was on

OFAC’s list.

Ramirez filed a class action on behalf of himself and the rest of

the proposed 8,185 class members seeking statutory damages for TransUnion’s

13 violations of the Fair Credit Reporting Act (“FCRA” or the “Act”).

.

FCRA “imposes a host of requirements concerning the creation and use of

consumer reports.”

(internal quotation marks omitted). Ramirez alleged that

in connection with its new product, TransUnion “failed to follow reasonable

procedures to ensure the accuracy of information in his credit file.”

.

The proposed class of individuals all received notice from TransUnion that their

names were considered a potential match to names on the OFAC list.

During

the class period, TransUnion had distributed reports to potential creditors

concerning only 1,853 of the 8,185 class members.

In evaluating whether all of the class members’ injuries arising from

TransUnion’s alleged statutory violations had suffered an injury in fact supporting

Article III standing, the Supreme Court focused its analysis on the issue of whether

the plaintiffs had shown a “concrete harm.”

at 2208–09.

In considering whether the plaintiffs’ alleged injuries were sufficiently

concrete to constitute an injury in fact for purposes of their claim for damages, the

Court considered whether their injuries bore a “‘close relationship’ to a harm

‘traditionally’ recognized as providing a basis for a lawsuit in American

courts.”

at 2204 (quoting Spokeo, Inc. v. Robins,

(2016)). The

Court recognized that “traditional tangible harms,” such as physical harms and

14 monetary harms, “readily qualify as concrete injuries under Article III.”

But it

went on to recognize that harms beyond those traditional tangible harms can also

support standing:

Various intangible harms can also be concrete. Chief among them are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts. Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.

(citation omitted).

Applying this framework, the Court had “no trouble” concluding that the

1,853 class members whose false OFAC designations were sent to third parties had

suffered a concrete injury. Id. at 2209. The Court reasoned that such an injury

“bears a ‘close relationship’ to a harm traditionally recognized as providing a basis

for a lawsuit in American courts—namely, the reputational harm associated with

the tort of defamation.” Id. (quoting Spokeo,

). Therefore, the Court

concluded that the 1,853 class members whose reports were disseminated to third

parties suffered a concrete injury in fact under Article III.

Significantly, the

Court concluded that the publication of false information about these class

members to third parties was itself enough to establish a concrete injury; it did not

take further steps to evaluate whether those third parties used the information in

ways that harmed the class members.

15 On the other hand, the Court concluded that the remaining 6,332 class

members whose credit reports were not shared with third parties had not suffered

a concrete injury, explaining that there is “no historical or common-law analog

where the mere existence of inaccurate information, absent dissemination,

amounts to concrete injury.”

(internal quotation marks omitted). The Court

distinguished between credit reports published to third parties and files that

consumer reporting agencies maintain internally. Id. at 2210. It analogized

misleading information merely sitting in a company database to a defamatory

letter stored in a desk drawer and never sent; the Court explained that in both

cases, legally speaking, nobody is harmed. Id.

The Court gave two answers of note in response to the arguments on behalf

of the 6,332 class members that the existence of misleading OFAC alerts in their

internal credit files exposed them to a material risk that the information would be

disseminated to third parties in the future and thereby caused them present harm.

First, it explained that, although mere risk of future harm does not provide

standing to seek retrospective damages where actual harm never materialized, “a

person exposed to a risk of future harm may pursue forward-looking, injunctive

relief to prevent the harm from occurring, at least so long as the risk of harm is

16 sufficiently imminent and substantial.” Id. (citing Clapper v. Amnesty Int’l USA,

, 414 n.5 (2013)).

Second, the Court noted that a risk of future harm could “itself cause[] a

separate concrete harm,” in which case the plaintiff would have standing to pursue

damages premised on that separate concrete harm. Id. at 2211 (emphasis in

original). For example, the Court suggested that evidence that the class members

suffered some other injury, such as emotional injury, from the risk that their

reports would be provided to third-party businesses could give them standing to

seek damages. Id.

These principles guide our assessment of whether Bohnak’s alleged harm is

sufficiently “concrete” to support Article III standing.

ii. Application to Bohnak’s Claims

Like the Supreme Court in TransUnion, we have no trouble concluding that

Bohnak’s alleged harm is sufficiently concrete to support her claims for damages.

Similar to the publication of misleading information about some of the plaintiffs

in TransUnion, the core injury here—exposure of Bohnak’s private PII to

unauthorized third parties—bears some relationship to a well-established

common-law analog: public disclosure of private facts. See Restatement (Second)

Torts § 652D (“One who gives publicity to a matter concerning the private life of

17 another is subject to liability to the other for invasion of . . . privacy, if the matter

publicized is of a kind that (a) would be highly offensive to a reasonable person,

and (b) is not of legitimate concern to the public.”). Bohnak’s position is thus

similar to that of the 1,853 class members who had standing in TransUnion based

on the publication of misleading information to third parties without regard to

whether the third parties used the information to cause additional harm.

We need not stretch to reach this conclusion. In TransUnion itself, the

Supreme Court specifically recognized that “disclosure of private information”

was an intangible harm “traditionally recognized as providing a basis for lawsuits

in American courts.”

(citing Davis v. Federal Election Comm’n,

(2008)). It thus described an injury arising from such disclosure as

“concrete” for purposes of the Article III analysis.

The core of the injury

Bohnak alleges here is that she has been harmed by the exposure of her private

information—including her SSN and other PII—to an unauthorized malevolent

actor. This falls squarely within the scope of an intangible harm the Supreme

Court has recognized as “concrete.”

We recognize that Bohnak does not in this case assert a common law claim

for public disclosure of private facts, and it matters not whether New York

common law recognizes a tort relating to publication of private facts. For the

18 purposes of the “concreteness” analysis under TransUnion, what matters is that

the intangible harm arising from disclosure of one’s PII bears a relationship to an

injury with a “close historical or common-law analogue.”

And that analog

need not be “an exact duplicate.” Id. at 2209.

In addition, Bohnak’s allegations establish a concrete injury for purposes of

her damages claim for a separate reason: she has suffered “separate concrete

harm[s]” as a result of the risk of future harm occasioned by the exposure of her

PII. Id. at 2211 (emphasis omitted). In particular, she has alleged among other

things that she incurred “out-of-pocket expenses associated with the prevention,

detection, and recovery from identity theft” and “lost time” and other

“opportunity costs” associated with attempting to mitigate the consequences of

the data breach. App’x 11, ¶ 15. These separate and concrete harms foreseeably

arising from the exposure of Bohnak’s PII to a malign outside actor, giving rise to

a material risk of future harm, independently support standing.

Our conclusion on this point is consistent with our analysis in McMorris, in

which we explained with reference to the injury-in-fact question more broadly that

“where plaintiffs have shown a substantial risk of future identity theft or fraud,

any expenses they have reasonably incurred to mitigate that risk likewise qualify

as injury in fact.”

(internal quotation marks omitted).

19 It also echoes the First Circuit’s conclusion in Webb v. Injured Workers

Pharmacy, LLC,

(1st Cir. 2023). In that case, the First Circuit considered

the standing of a plaintiff whose PII had been exposed in a data breach by a home-

delivery pharmacy service. There was no allegation that the plaintiff’s PII had

actually been misused, although other PII in the same dataset had been. Applying

the lessons of TransUnion, the court concluded that the plaintiff had plausibly

alleged a “separate concrete, present harm” caused by exposure to the risk of

future harm. Webb,

. In particular, the plaintiff had alleged that she

spent “considerable time and effort” monitoring her accounts to protect them.

(internal quotation marks omitted). The First Circuit joined other circuits in

concluding that “time spent responding to a data breach can constitute a concrete

injury sufficient to confer standing, at least when that time would otherwise have

been put to profitable use.”

. The court noted, “Because this alleged

injury was a response to a substantial and imminent risk of harm, this is not a case

where the plaintiffs seek to ‘manufacture standing by incurring costs in

anticipation of non-imminent harm.’”

(quoting Clapper,

).

The Third Circuit reached a similar conclusion in Clemens v. ExecuPharm Inc.,

(3d Cir. 2022)—another post-TransUnion data breach case. In Clemens,

the Third Circuit concluded:

20 Following TransUnion’s guidance, we hold that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as [the plaintiff] alleges that the exposure to that substantial risk caused additional, currently felt concrete harms. For example, if the plaintiff’s knowledge of the substantial risk of identity theft causes [the plaintiff] to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.

at 155–56; see also In re U.S. OPM Data Security Breach Litigation,

(D.C. Cir. 2019) (noting that the Supreme Court has recognized standing to sue

“on the basis of costs incurred to mitigate or avoid harm when a substantial risk

of harm actually exists” (quoting discussion of Clapper in Hutton v. Nat’l Bd. of

Examiners in Optometry,

(4th Cir. 2018))); Dieffenbach v. Barnes &

Noble, Inc.,

(7th Cir. 2018) (monthly fees for credit monitoring

secured in response to a data breach are “real and measurable” actual damages).

For these reasons, given the close relationship between Bohnak’s data

exposure injury and the common law analog of public disclosure of private facts,

and, alternatively, based on her allegations that she suffered concrete present

harms due to the increased risk that she will in the future fall victim to identity

theft as a result of the data breach, we conclude that Bohnak has alleged an injury

that is sufficiently concrete to constitute an injury in fact for purposes of her

damages claim.

21 B. McMorris: Imminence

Our conclusion that Bohnak’s injury is concrete does not fully resolve the

standing question because it addresses only one component of injury in fact. The

“particularity” requirement for an injury in fact is not in dispute here, but whether

Bohnak’s injury is “actual or imminent” is. Our pre-TransUnion decision in

McMorris guides our analysis of this component.

i. The Court’s Holding

In McMorris, the plaintiffs brought a putative class action against their

employer asserting claims for negligence and violations of consumer protection

laws resulting from inadvertent dissemination of a company-wide email

containing their sensitive PII.

. The plaintiffs alleged that because

their PII had been disclosed to all of the defendant’s then current employees,

plaintiffs were “at imminent risk of suffering identity theft and becoming the

victims of unknown but certainly impending future crimes.”

(internal

quotation marks omitted).

As in this case, the issue in McMorris was whether the plaintiffs had suffered

an injury in fact.

. But, in McMorris we considered the question

holistically, without breaking the injury-in-fact analysis into its components. See

(“This case concerns . . . the first element of Article III standing: the existence of

22 an injury in fact.”). Because many of our insights in McMorris relate most closely

to the issue of whether the future harm is sufficiently “actual or imminent,”

TransUnion, which did not purport to address matters beyond “concreteness,”

does not fully supplant our analysis in McMorris.

In McMorris, we explained that “a future injury constitutes an Article III

injury in fact only ‘if the threatened injury is certainly impending, or there is a

substantial risk that the harm will occur.’”

(quoting Susan B.

Anthony List v. Driehaus,

, 158 (2014)). We then identified and endorsed

three non-exhaustive factors that courts have considered in determining whether

plaintiffs whose PII has been compromised but not yet misused face a substantial

risk of harm.

First, we said that the most important factor in determining whether a

plaintiff whose PII has been exposed has alleged an injury in fact is whether the

data was compromised as the result of a targeted attack intended to get

PII. McMorris,

. Where a malicious third party has intentionally

targeted a defendant’s system and has stolen a plaintiff’s data stored on that

system, courts are more willing to find a likelihood of future identity theft or fraud

sufficient to confer standing.

We embraced the Seventh Circuit’s reasoning in

one such case: “Why else would hackers break into a store’s database and steal

23 consumers’ private information? Presumably, the purpose of the hack is, sooner

or later, to make fraudulent charges or assume those consumers’ identities.”

(quoting Remijas v. Neiman Marcus Grp., LLC,

(7th Cir. 2015)).

Second, we observed that, “while not a necessary component of establishing

standing,” courts have been more likely to conclude that a plaintiff has established

a “substantial risk of future injury” where some part of the compromised dataset

has been misused—even if a plaintiff’s own data has not. Id. at 301. For example,

fraudulent charges to the credit cards of other customers impacted by the same

data breach, or evidence that a plaintiff’s PII is available for sale on the Dark Web,

can support a finding that a plaintiff is at a substantial risk of identity theft or

fraud. Id. at 301–02.

Third, we explained that courts may consider whether the exposed PII is of

the type “more or less likely to subject plaintiffs to a perpetual risk of identity theft

or fraud once it has been exposed.” Id. at 302. On one hand, we noted that “the

dissemination of high-risk information such as [SSNs] . . . especially when

accompanied by victims’ names—makes it more likely that those victims will be

subject to future identity theft or fraud.” Id. On the other hand, we reasoned that

the exposure of data that is publicly available, or that can be rendered useless (like

24 a credit card number unaccompanied by other PII), is less likely to subject plaintiffs

to a perpetual risk of identity theft. Id.

Insofar as these factors shed light on whether the future harm of identity

theft or fraud resulting from a data breach is sufficiently actual and imminent (as

opposed to concrete), we see nothing in TransUnion that overrides our analysis,

and McMorris remains a touchstone.

ii. Application to Bohnak’s Claims

Considering these three factors, we conclude that Bohnak has sufficiently

alleged that she faces an imminent risk of injury—that is, a “substantial risk that

the harm will occur.” Id. at 300 (internal quotation marks omitted).

First and foremost, Bohnak has alleged that her PII was exposed as a result

of a targeted attempt by a third party to access the data set. App’x 14, ¶ 30; see

McMorris,

(considering “whether the data at issue has been

compromised as the result of a targeted attack intended to obtain the plaintiffs’

data.”). In particular, she alleges, based on Defendants’ own report to her, that an

“unauthorized actor [i.e., a hacker] . . . leveraged a vulnerability in a third party’s

software” and gained access to her PII. App’x 14, ¶ 30. This was not an

inadvertent, intra-company disclosure; it was a targeted hack.

25 Second, Bohnak alleges that the PII taken by the hackers includes her name

and SSN.

This is exactly the kind of information that gives rise to a high risk

of identity theft. McMorris,

. As Bohnak has alleged, SSNs “are

among the worst kind of personal information to have stolen because they may be

put to a variety of fraudulent uses and are difficult for an individual to change.”

App’x 18, ¶ 45. And one cannot get a new SSN without “evidence of actual

misuse,” making it difficult to take preventive action to guard against the misuse

of the compromised number. Id. ¶ 46.

We recognize that Bohnak has not pulled off a hat trick with respect to the

factors identified in McMorris; she has not alleged any known misuse of

information in the dataset accessed in the hack. But we emphasized in McMorris

that such an allegation is not necessary to establish that an injury is sufficiently

imminent to constitute an injury in fact.

. We conclude that the

allegations of a targeted hack that exposed Bohnak’s name and SSN to an

unauthorized actor are sufficient to suggest a substantial likelihood of future

harm, satisfying the “actual or imminent harm” component of an injury in fact.

26 Because Bohnak has alleged a concrete and imminent injury, and because

her injury is undisputedly particular, she has pled an injury in fact. 7 And because

Bohnak has pled that Defendants caused her injury, and her injuries would be

redressed through money damages, we conclude that Bohnak has Article III

standing to pursue her damages claim. 8

II. Bohnak’s Damages Claim

Our discussion of standing all but disposes of the damages issue. 9 The

district court dismissed Bohnak’s claims on the basis that her damages are not

“capable of proof with reasonable certainty,” and her alleged loss of time and

money responding to the increased risk of harm was not “cognizable.” Bohnak,

580 F. Supp. 3d at 31.

For the reasons set forth above, Bohnak’s alleged injury arising from the

increased risk of harm is cognizable for standing purposes, and thus could support

7 No party has suggested that the “particularity” requirement for an injury in fact is an obstacle to Bohnak’s claims. See Strubel v. Comenity Bank,

(2d Cir. 2016) (explaining that “to satisfy the particularity requirement” an injury must be “distinct from the body politic”). Here, Bohnak has specifically alleged that her PII was compromised during a data breach that impacted a finite number of people, making her injury “distinct from the body politic.” 8 Defendants challenge Bohnak’s claims on the merits on the basis that she hasn’t plausibly

alleged cognizable damages. But in contesting her standing, Defendants have not argued that Bohnak has failed to establish the causation and redressability elements of standing. 9 We reject Defendants’ contention that Bohnak waived her challenge to the district court’s

dismissal of her claim pursuant to Rule 12(b)(6). In this case, the district court’s conclusion that Bohnak did not plausibly plead damages rested entirely on the court’s conclusion that she lacked standing to seek damages based upon a risk of future harm. Bohnak’s challenge to that conclusion was a challenge to the court’s analysis of her damages.

27 a claim for damages. As the Seventh Circuit explained in a similar case: “To say

that the plaintiffs have standing is to say that they have alleged injury in fact, and

if they have suffered an injury then damages are available.” Dieffenbach,

.

Moreover, Bohnak has pled additional injuries—the time and money spent

trying to mitigate the consequences of the data breach—with respect to which

damages are unquestionably capable of reasonable proof. See App’x 11 ¶ 15; see

E.J. Brooks Co. v. Cambridge Sec. Seals,

, 448–49 (2018) (compensatory

damages “cannot be remote, contingent or speculative,” but the standard “is not

one of ‘mathematical certainty’ but only ‘reasonable certainty’” (quoting Steitz v.

Gifford,

(1939))); Aqua Dredge, Inc. v. Stony Point Marina & Yacht

Club, Inc.,

(3d Dep’t 1992) (“In computing damages for

breach of contract, mathematical certainty is rarely attained or even expected.”).

CONCLUSION

In sum, we conclude that the Supreme Court’s decision in TransUnion

governs the analysis of whether a risk of future injury is sufficiently concrete to

constitute an injury in fact for purposes of a claim for damages and that our

analysis in McMorris continues to guide our assessment of the “imminence”

component of injury in fact for purposes of Article III standing. Applying these

28 cases, we hold that Bohnak has Article III standing to bring her claims for damages

and that the district court erred in dismissing her claims for failure to plead

cognizable damages with reasonable certainty.

For these reasons, we REVERSE the district court’s judgment dismissing

Bohnak’s claims for damages and REMAND for further proceedings consistent

with this opinion.

29